MegaplanIT Blog's & Informational Resources

Whether you’re looking to secure your business or stay PCI compliant, MegaplanIT has a certified team of experts that can help you every step of the way. Stay informed with up-to-date blog.

Incident Response – Anatomy of an Incident Response Test Plan PT 2

Posted by MegaplanIT on 7/15/21 9:04 AM

Written By: 

Caleb Coggins: Director of Compliance Services LinkedIn_logo_initials 

Mark Repka: Security Consultant LinkedIn_logo_initials 

Michele Adelaar: Security Consultant LinkedIn_logo_initials


Testing your Incident Response Plan as discussed last week is critical and an external requirement for some organizations (e.g., PCI DSS compliance). For PCI, testing must occur at least annually and include lessons learned postmortem to update or evolve the plan. The two common IR test methods are a Tabletop Exercise and Functional Exercise (Simulated Attack). Your test approach should align with the steps documented in your IR Plan, regardless of the testing method you have selected.


As outlined in NIST SP 800-84, the following steps help an organization to prepare for and conduct a test of its Incident Response Plan and procedures.


As with many cyclical, iterative processes, the Incident Response Lifecycle does not officially end. After the completion of a test, after action items may be assigned to personnel for continued improvement and in preparation for the next periodic IR test. One of the interesting results of an IR test is the identification of gaps in procedure or tools. Where are the blind spots within our organization’s logging and monitoring solutions? Are our procedures sufficiently detailed and clear, so that responders understand what needs to be done, in a given situation? Organizations increasingly rely on playbooks to define (and automate) responses to predictable events. These playbooks may originate externally and be modified to conform to an organization’s unique characteristics. For example, the Cybersecurity and Infrastructure Security Agency (CISA) has a Ransomware Guide resource that is publicly available and useful guidance for security controls preparation, IR planning, and IR response procedures.


Join Us Next Week

As we continue our series with what an Incident Response Plan actually looks like.

View part 3 - What does an Incident Response Plan look like?

Here at MegaplanIT, we have decades of experience handling incident response plans, testing, and analysis of threats to production environments. Our SOCaaS can aid you in identifying and responding to security events and malicious activities within your environment. Our dedicated consultants advise on incident response plan scenarios, custom-tailored to your organization, minimizing impact to your team while maintaining the maximum return on investment. Reach out today, for assistance with creating a test or reviewing processes for compliance.


Schedule Meeting




twitter_legacy_color linkedin_legacy_color


Leave Comment